Ship selinux-autorelabel utility and systemd unit files

initscripts package is being slowly removed so fedora-autorelabel utility and systemd unit files need a new home. At the same time, "fedora-" prefix is changed to general "selinux-". /lib/systemd/fedora-autorelabel -> /usr/libexec/selinux/selinux-autorelabel fedora-autorelabel.service -> selinux-autorelabel.service fedora-autorelabel-mark.service -> selinux-autorelabel-mark.service Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1328825
2016-04-25 09:36:31 +02:00 · 2016-04-25 09:36:31 +02:00 · 9753a77a76
parent 6c6496a616
commit 9753a77a76
4 changed files with 93 additions and 0 deletions
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -17,6 +17,9 @@ URL:	 http://www.selinuxproject.org
 Source2: policycoreutils_man_ru2.tar.bz2
 Source3: system-config-selinux.png
 Source4: sepolicy-icons.tgz
+Source5: selinux-autorelabel
+Source6: selinux-autorelabel.service
+Source7: selinux-autorelabel-mark.service
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
@ -27,12 +30,14 @@ Patch1:  sepolgen-fedora.patch
 Patch100: policycoreutils-fix-semanage-python3.patch
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
+Conflicts: initscripts < 9.66
 Provides: /sbin/fixfiles
 Provides: /sbin/restorecon

 BuildRequires:	pam-devel libcgroup-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver}  libcap-devel audit-libs-devel >=  %{libauditver} gettext
 BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
 BuildRequires: python python-devel python3 python3-devel setools-devel >= 3.3.8-10
+BuildRequires: systemd
 Requires: util-linux grep gawk diffutils rpm sed
 Requires: libsepol >= %{libsepolver} coreutils libselinux-utils >=  %{libselinuxver}

@ -115,6 +120,14 @@ rm -f %{buildroot}%{_datadir}/system-config-selinux/selinux-polgengui.desktop
 rm -f %{buildroot}%{_datadir}/system-config-selinux/sepolicy.desktop
 rm -f %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.desktop

+# https://bugzilla.redhat.com/show_bug.cgi?id=1328825
+mkdir   -m 755 -p %{buildroot}/%{_unitdir}/basic.target.wants/
+install -m 644 -p %{SOURCE6} %{buildroot}/%{_unitdir}/
+install -m 644 -p %{SOURCE7} %{buildroot}/%{_unitdir}/
+install -m 755 -p %{SOURCE5} %{buildroot}/%{_libexecdir}/selinux/
+ln -s ../selinux-autorelabel.service %{buildroot}/%{_unitdir}/basic.target.wants/
+ln -s ../selinux-autorelabel-mark.service %{buildroot}/%{_unitdir}/basic.target.wants/
+
 %find_lang %{name}

 %package python-utils
@ -353,6 +366,11 @@ fi
 %{_sbindir}/sestatus
 %{_bindir}/secon
 %{_libexecdir}/selinux/hll
+%{_libexecdir}/selinux/selinux-autorelabel
+%{_unitdir}/selinux-autorelabel-mark.service
+%{_unitdir}/basic.target.wants/selinux-autorelabel-mark.service
+%{_unitdir}/selinux-autorelabel.service
+%{_unitdir}/basic.target.wants/selinux-autorelabel.service
 %config(noreplace) %{_sysconfdir}/sestatus.conf
 # selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them
 %{_mandir}/man5/selinux_config.5.gz
--- a/43
+++ b/43
@ -0,0 +1,43 @@
+#!/bin/bash
+#
+# Do automatic relabelling
+#
+
+# . /etc/init.d/functions
+
+relabel_selinux() {
+    # if /sbin/init is not labeled correctly this process is running in the
+    # wrong context, so a reboot will be required after relabel
+    AUTORELABEL=
+    . /etc/selinux/config
+    echo "0" > /sys/fs/selinux/enforce
+    [ -x /bin/plymouth ] && plymouth --hide-splash
+
+    if [ "$AUTORELABEL" = "0" ]; then
+	echo
+	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. "
+	echo $"*** /etc/selinux/config indicates you want to manually fix labeling"
+	echo $"*** problems. Dropping you to a shell; the system will reboot"
+	echo $"*** when you leave the shell."
+	sulogin
+
+    else
+	echo
+	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+	echo $"*** Relabeling could take a very long time, depending on file"
+	echo $"*** system size and speed of hard drives."
+
+	FORCE=`cat /.autorelabel`
+        [ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
+	/sbin/fixfiles $FORCE restore > /dev/null 2>&1
+    fi
+    rm -f  /.autorelabel
+    /usr/lib/dracut/dracut-initramfs-restore
+    systemctl --force reboot
+}
+
+# Check to see if a full relabel is needed
+if [ "$READONLY" != "yes" ]; then
+    restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
+    relabel_selinux
+fi
--- a/selinux-autorelabel-mark.service
+++ b/selinux-autorelabel-mark.service
@ -0,0 +1,15 @@
+[Unit]
+Description=Mark the need to relabel after reboot
+DefaultDependencies=no
+Requires=local-fs.target
+Conflicts=shutdown.target
+After=local-fs.target
+Before=sysinit.target shutdown.target
+ConditionSecurity=!selinux
+ConditionPathIsDirectory=/etc/selinux
+ConditionPathExists=!/.autorelabel
+
+[Service]
+ExecStart=-/bin/touch /.autorelabel
+Type=oneshot
+RemainAfterExit=yes
--- a/selinux-autorelabel.service
+++ b/selinux-autorelabel.service
@ -0,0 +1,17 @@
+[Unit]
+Description=Relabel all filesystems, if necessary
+DefaultDependencies=no
+Requires=local-fs.target
+Conflicts=shutdown.target
+After=local-fs.target
+Before=sysinit.target shutdown.target
+ConditionSecurity=selinux
+ConditionKernelCommandLine=|autorelabel
+ConditionPathExists=|/.autorelabel
+
+[Service]
+ExecStart=/usr/libexec/selinux/selinux-autorelabel
+Type=oneshot
+TimeoutSec=0
+RemainAfterExit=yes
+StandardInput=tty